We've garnered a lot of positive market feedback in the five months since we've exited stealth. Hands down, the most frequent initial response we get is "Wow, that is the coolest security UI I've ever seen." We've heard this from every corner of the community including users, industry analysts, designers, and even other security vendors.

We've devoted a lot of time to completely re-thinking security visualization in order to provide incident responders with vastly increased visibility into network activity, a rich set of forensic tools, and a way to de-noise the security environment and speed response times.

We've devoted just as much time and thought to how our cloud platform can revolutionize threat detection. In fact, the UI is the culmination of a lot of powerful technology under the hood that is based on our commitment to put a stop to the proliferation and Balkanization of security point products. I'd like to start to shine the spotlight on our threat detection technology which happens both in real time and retrospectively.

The Full Spectrum Analytics Approach

Detecting modern attacks requires a fully integrated and unified analytics architecture. Our cloud form factor makes it possible to fuse several techniques together to create a threat detection spectrum. A full spectrum analytics approach means that each sub-component does something really well, in a way that complements all the other pieces of the puzzle. Intelligence, context and multi-facet analytics all work together to complete the picture.

Let's take a look at some of the building blocks that comprise our full spectrum analytics approach:

Intelligence Analysis: We actively partner with third parties to leverage the most up to date intelligence when evaluating potential threats. Our intelligence feeds update in real time, and are actively curated by our internal threat research team to ensure that we have as much context as possible for evaluating suspicious activity on the network.

Signatures: Signatures? But I thought they were dead... Not so! Signatures may be tired, but they are not dead. While signature-based threat detection is table stakes, and not super sexy, it is still useful in detecting well known attacks. It's tactical threat intelligence. The indicators produced by signature-based detection techniques are just one of many potential dots that can ultimately indicate the presence of malicious activity on a network. I will discuss other more interesting dots a little further down this post.

Where signatures find new life and become infinitely more interesting, is in retrospectively looking for zero-day attacks in historic network traffic. At ProtectWise, rather than relying on signatures to find commodity attacks in real time, we have the ability to create signatures for newly acquired intelligence, be it in the form of a new variant of polymorphic malware, or previously unseen exploit, and use these signatures to re-analyze our Cloud Network DVR to look for the presence of previously undiscovered attacks in the network's past.

This has proven very, very useful in uncovering attacks that are generally carried out using these more advanced techniques. Since building our PCAP library, we have found that we uncover these advanced attacks on a nearly daily basis, and are able to help our customers remediate the risks associated with them in days, rather than months, removing the ability of the attackers to lie latent in the network prior to creating real damage. This is just part of an overarching deep analysis strategy that will be discussed in my next post.

Machine Learning: We quickly move past signature-based analysis by incorporating Machine Learning based classifiers into our threat detection platform. Rather than attempt to build a single uber classifier for network traffic (which would be fundamentally flawed and doomed to fail), we have built an arsenal of bespoke machine learning-based classifiers to score the individual components of a network conversation. These are built using a combination of supervised and unsupervised learning techniques. They are highly accurate at identifying the malicious attributes of a network conversation without relying on signatures, blacklists, or other notary services.

Behavioral Analysis & Anomaly Detection: Rounding out the core components of our Time Machine for Threat Detection is the coming addition of behavioral analysis based detection engines. Behavior based threat detection works off of the premise that a compromised host will exhibit subtle (or not so subtle) shifts in its behavior once it has been targeted, or compromised.

Adding behavioral analysis allows us to expand our capabilities to include the detection of compromised machines based on changes in the way they are behaving on the network.

The core differentiator of our approach to behavioral modeling is fidelity. We have the packets (and PCAP doesn't lie), so we can create behavioral scores in much more detail than models that rely on netflow or other metadata-based algorithms.

Given the strengths and weaknesses of each of these approaches, we should think of them as neither better nor worse than the other, but as complementary components of a holistic solution. The classic defense in depth approach but redefined as analytics in depth. Hierarchical Decision Processes: Every Output is an Input

The final piece of the ProtectWise analytics puzzle is found in our network state machine. This is not a repetition of the meta-rules you'd find in a SIEM, but a generalized weighting and decision process. Its coefficients are kept up to date with our backend analytics processes, which I'll cover in more depth in a future blog post.

There are no silver bullets. There is no deterministic algorithm.

We should all keep in mind that the output of any analytics solution requires interpretation of a secondary decision process. Sometimes this is another machine, often times it is a human. By using a hierarchy of smart machines we reduce the workload on the advanced humans, who must make the final decision.

Next blog post